HIPAA Awareness Training for Business Associates

Episode 13: Know The Rules! HIPAA Security Awareness Training for Business Associates

HIPAA Security Awareness Training for Business Associates

It is imperative for Covered Entities (CEs) and Business Associates (BAs) alike provide their workforce that handle electronic protected health information (PHI) with frequent HIPAA Security Awareness Training, as defined in 45 CFR § 164.308(a)(5), regardless of the organization’s size. The amount and type of training will be dependent upon your organization and security risks.

CEs are not required to provide training to their BAs or anyone else that is not a member of their workforce.

Your HIPAA Security Awareness Training should include:

  • • Security Reminders
  • • Protection for Malicious Software
  • • Log-in Monitoring
  • • Password Management

Training is NOT meant to be a one-time type of activity, but rather an on-going, evolving process as an entity’s security needs and procedures change.

Common Belief:

My Electronic Health Records (EHR) vendor took care of everything I need to do about privacy and security.

This statement is False! Your EHR vendor may be able to provide information, assistance, and training on the privacy and security aspects of the EHR product. However, EHR vendors are not responsible for making their products compliant with HIPAA Privacy and Security Rules.

When was the last time you updated your HIPAA Security Risk Analysis?

Business Associates (BAs) of ALL sizes or complexity must conduct and document a comprehensive HIPAA Security Risk Analysis of their computer and other information systems used to create, receive, maintain, or transmit electronic Protected Health Information (ePHI) to identify potential risks and respond accordingly 45 CFR § 164.308(a)(1).

It is solely your responsibility to have a complete risk analysis conducted.

Note: Security is not a one-time project, but rather an on-going, dynamic process that will create new challenges as CEs’ & BAs’ organizations and as technologies change.

Covered Entities and Business Associates need to understand your patients are entrusting YOU with their most private and intimate details, they expect it to remain secure.

Besides, it is YOUR practice, YOUR patients, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to such risks?



Don’t know where or how to start or update your HIPAA security compliance program? Let’s chat about your compliance program – schedule a call with HIPAA alli today!